https://bugzilla.redhat.com/show_bug.cgi?id=1051108 Petr Pisar <ppisar@xxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ratulg@xxxxxxxxxx Flags| |needinfo?(ratulg@xxxxxxxxxx | |) --- Comment #3 from Petr Pisar <ppisar@xxxxxxxxxx> --- (In reply to Vincent Danen from comment #2) > The actual proposed patch to upstream is here: > > * > https://rt.cpan.org/Public/Ticket/Attachment/1293961/685696/0001-Security- > notice-on-Storable-and-reply-attack.patch > > Based on the discussion in bug #1030572, there is no real "fix" for this as > it seems that Storable deserialization is exposed prior to password-based > authentication (see how AcceptUser is called in the server code). > > MITRE assigned CVE-2013-7284 to this issue. Is amending the PlRPC documentation with this patch sufficient to close this bug, or should we keep this open until a real fix in the code (extension of Storable module and utilizing it in PlRPC) will be available? -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=0Io151sBRM&a=cc_unsubscribe -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
